Who is Participating?

I discovered the problem was Desktop Authority Password Self-service. It's a tool we use for users to reset their own password and unlock their own account and they've since fixed the issue in a newer version.

I think the question here is what happens behind the scene when you press ctrl+alt+del. As far as I know all that happens is that the logon screen loads. If I understand your question correctly, you aren't even past the logon screen yet, correct?

When you look at your logon options, how many domains display? Are they all valid active and trusted domains?

I would consider the following:
Is it slow because services are still loading in the background?
Is it slow because there is a bogus domain listed as one of the potential logon domains?
Is it slow because a group policy is applying a computer policy to the PC?

What happens if you disconnect the PC from the network and try ctrl+alt+del?

Is your DNS servering forwarding to your ISPs DNS
Is there only one DC at your location?
Are all the DCs on the same domain? If yes you are setup as sites (I am assuming all Windows 2008 DCs)
Which DC has all master role (would most likely be 1st DC setup in the org)

0

HospiceChesapeakeAuthor Commented: 2011-03-01

We use OpenDNS rather than our providers DNS because of what OpenDNS offers.

We have only one DC/DNS server at each location, except our Datacenter, which no one authenticates to anyways.

They are all on the same domain - we have only one domain. Each site has it's own site name and everything exists within that site.

The primary DC is at our Datacenter so its not one that anyone would authenticate to at a local office.

Try changing the 1st DNS on your local DC to its IP address instead of 127.0.0.1
That is a MS recommendation if only 1 DC on the site, yeay 127.0.0.1 is supposed to work too, but MS will suggest you use the machine's IP address

If two DCs then 1st DNS should be second DCs IP
and 2nd DNS should be same DCs IP

0

HospiceChesapeakeAuthor Commented: 2011-03-01

So you're saying since I have only 1 IP, I use the local loopback (127.0.0.1) for DNS #1 and the actual IP of the same server for the secondary dns?

0

HospiceChesapeakeAuthor Commented: 2011-03-01

I just made that change, setting both the primary and secondary IP to point to the same server and i'm not sure how fast I should see the change, but it didn't seem to make an immediate difference to say the least...

0

HospiceChesapeakeAuthor Commented: 2011-03-01

Actually I think I may have become confused.

So, on the DC, it should be Primary DNS the actual IP address. And leave the secondary DNS empty?

What about the DHCP server? Obviously the Primary DNS on that should point to the local dc, but what about the secondary? Should it still point to the other DC as a failsafe?

0

HospiceChesapeakeAuthor Commented: 2011-03-01

As a test, I made only the local DC the primary DNS and left the secondary blank, so it only would hit the local DC... and that made no difference :(

Have you added anything new to the network? Is the whole network running slow or is it just logon? One thing I had a while back ago was someone added an extra cable from a server already plugged into the network creating a loop. It caused much havoc on the network.

0

HospiceChesapeakeAuthor Commented: 2011-03-01

Hmm you know, we'll have our up and down moments. We have a Datacenter that we connect to and some days it seems like files open and save fast and some days it's slow. But, it could be because we're on FiOS at this particular location.

There's definitely something not right with the network and pin pointing it is going to be a disaster, I feel it... =\

Do you have any start-up logon scripts under the Computer section of any of your GPOs? The two last things that take place before you press Ctrl-Alt-Del are Apply Computer GPOs then run startup scripts. I wonder if any scripts are still running. Again, I would setup debugging to better identify what is happening - probably the first thing Microsoft would ask you to do to start troubleshooting. Also, Microsoft specifically told me about a month ago that they now recommend 127.0.0.1 instead of using the DNS server's own IP address. Just throwing that out there. Their logic was less chance of a problem if you were to ever change IP addresses of the DNS server. Made logical sense to me.

0

HospiceChesapeakeAuthor Commented: 2011-03-01

We use Desktop Authority ScriptLogic as our startup script; however, I believe this run's 'after' the login has been initiated. I don't believe we have anything in the GPO itself for startup.

I'm now confused on the DNS server. On the server itself, the Primary should be 127.0.0.1 and the secondary should be what... the same IP? an IP of another DC? what?

Keep in mind td tohat since you have disabled “Always wait for network at computer startup and logon”, any changes to Group Policy won't be noticed until the second time you logon. With that disabled, the OS uses cached GPO settings from the last logon session.

0

HospiceChesapeakeAuthor Commented: 2011-03-01

Can't I do a gpupdate /force? Right now I'm on a VPN... also, Desktop Authority pushes out updates instantly.

0

HospiceChesapeakeAuthor Commented: 2011-03-01

Also that GPO change, was made last week... so it definitely has had time to replicate.

Not sure what change you are referring to, but even if you do a gpupdate /force after removing your PC from Desktop Authority, you will be prompted to reboot for all GPOs to apply, do perform this reboot. Remember, the only GPOs we are concerned about are ones which apply to your computer, not to you as a user, so make certain your PC is removed from Desktop Authority. Well, I am off to drinking wine and watching college basketball. Good luck and go Buckeyes.

0

HospiceChesapeakeAuthor Commented: 2011-03-01

What I was referring to was removing the script that starts Desktop Authority on my computer upon boot. This is found in AD Users/Computers in the Profile tab - thats the only way to fully remove ones self from Desktop Authority. So, if that doesn't do it... it's something else.

In the DC's nic config the first DNS should be 192.168.1.12
The second DNS can be any of the other site DC IPs 192.168.2.xx

In your DHCP the first DNS should be 192.168.1.12

Note: It depends on who you talk to in MS. I worked with their senior engs on the DNS in relation to pure 2008 ADDS and they adviced me on not to use the 127.0.0.1 eventhough it shoiuld work with that config.

0

HospiceChesapeakeAuthor Commented: 2011-03-01

Well, it's looking like we can rule DNS out at this rate anyways... nothing I seem to try DNS related is making a difference. Tomorrow we'll see if Desktop Authority plays a role. If it does, then I'm just screwed because we can't get rid of it.. if it's not the problem, then I'm still in the dark.

0

HospiceChesapeakeAuthor Commented: 2011-03-01

It just dawned on me that Desktop Authority is 100% user based... so it really shouldn't make any difference with this issue because I could be on any computer, trying any other user, you know?

I'll rule it out tomorrow for sure, but it just doesn't sound like it's going to make a big difference, but you never know...

0

HospiceChesapeakeAuthor Commented: 2011-03-02

Ok so I tested with Desktop Authority disabled for my username (because you can't disable it per computer) and I did notice it was slightly faster from a cold boot to do the Ctrl+Alt+del HOWEVER, I then locked the computer and did a Ctrl+Alt+Del and it still took forever - so I'm going to guess it's probably not Desktop Authority....

Are you using roaming profiles? If so, here are some things to check: (if not, ignore these)

Too much user profile data:
In Windows Explorer, R-click and check the properties on the folder \Documents & Settings\UserName
Note the size of the folder (in mb or gb) - If you are using vista or win7 you will also need to check \Users\UserName
If the total of these folders is over 2gb, then that could cause slow loading. Sometimes users will install itunes or something else that put a lot of data under these folders and roaming profiles has to synchronize all this data with what is in the server profile folder.

There may also be a lot of Temp & temporary internet files (usually skipped but not always) that it syncs. Also recent files folder does not clean up itself. If you find a lot of space used, you may have to find where it is. - Also if you use Outlook, there could very large .ost and .pst files there that are constantly being transferred to the server profile. You can move then to another server or local location.

Test for a corrupted profile:
Login as a given user. Make sure that the that user is not logged in anywhere else.
Browse to the server & folder where the roaming profile is located. Rename the folder for the profile assigned to the given user ie: ProfileFolder.bad.
Create another folder with the with the same name as the original folder.
Back at the workstation, log out of the domain normally. It will take a while to rebuild the profile.
Log back in and test the for the lag.

Roaming profiles need maintenance to keep them efficient, either by admins or user practices. In different forums I read that many techs do not use them because of this & other troubles. For us, the convenience outweighs the cost of maintenance.
My 2¢ worth

Desktop Authority will keep the settings on the computer, you may have to login to a computer (as a test) and remove DA completely, then undo the settings it's already changed. Did you upgrade to a newer DA recently? I've noticed especially with the windows 7 users it was particularly slow, and especially login. I had to go in to each machine to undo most of what it had done to those machines.

0

HospiceChesapeakeAuthor Commented: 2011-03-03

The problem is, we cannot remove DA as it's an integral part of our organization. However, I don't mind trying to uninstall it completely just to see if that's the root cause.

I know that Desktop Authority has 8.1 update out. We're still on 8.04 so I've been wondering if updating would help anything out.

On 03/01/11 04:07 PM, I had asked that he disable DA to test. If you can't remove or disable it for the computer settings, then at least call DA support and ask if they have seen your issue before. They have a forum which the question could be asked of others, you just need to have a valid license to access it. In other words, rule out DA before looking any further please.

0

HospiceChesapeakeAuthor Commented: 2011-03-07

I apologize - I meant to uninstall DA altogether on this machine today but had absolutely no opportunity to do so. I will set myself a reminder tomorrow to do so.

With the DA services removed from my machine completely - this should satisfy the test.

In fact - so I won't forget, I'll go ahead and uninstall now, that way first thing in the morning (which is where I always complain the most cause of the first logon taking forever) this will be a good indicator ... ruling out DA immediately.

Ok - I tried deleting Desktop Authority altogether... made no difference at all.

0

HospiceChesapeakeAuthor Commented: 2011-03-08

@ChiefIT

DisableCAD currently = 0 (which I assume we want for security reasons)

As for Fast User Switching, the article you lead me to doesn't seem to apply to Windows 7. I did find that within the GPO is something called "Hide entry points for Fast User Switching" which is what they refer to as enabling/disabling it I suppose.

Currently, we have the ability to "switch user" turned on (well, the policy is actually not configured) so that we can switch user over to an admin account as needed.

While looking for the correct reg key, I did see an article about a WIN7 computer that the welcome screen for thirty seconds, (by design). It's stems from having a SINGLE color background on the desktop. Let's see if I can find it again.

Actually we can already rule this out because a.) it's not the delay 'after' logging in that's the problem, it's the control+alt+delete and then waiting for Username/Password to show up that is the problem. And, B.) we actually use Themes, so we don't have a solid background.

Thanks for the tip though - this could explain some delays on our servers though...

0

HospiceChesapeakeAuthor Commented: 2011-03-08

To me, this totally seems like a 'network' related issue for some reason.

Almost like it's going out to find something ... maybe it's pulling GPO information, or DC information, IDK but it's not just me, it's a wide scale issue so it's definitely not a segregated issue.

Open Windows Explorer, Alt to open the top menu, Tools, View tab, under advanced settings - un-check the option "Automatically search for network folders and printers" and see if that makes a difference.

Another thought, do you have any NAS drives mapped to the workstations? If so, try disconnecting the NAS drive and do a shut-down, then see if things get faster.

One more idea, run MSconfig and stop all programs from loading on boot, If the problem goes away- add them back in - one at a time until the lag returns. It might give you more clues on where to look. Please forgive me if you have already tried these. Just trying to cover all bases.
:-)

If it were a network related issue, the slowness would come when logging in, (as in the case of the solid color desktop). I have seen it too many times before where after the splash screen that loads the third party drivers, you get (opening network connection). ..

To me, this sounds like the CTRL ALT DEL Context menu handler. A context menu handler for right click brings up a menu that allows you to copy/paste etc... The context menu handler for CTRL ALT DEL should bring up the logon screen. Sometimes these Context menu handlers get hosed by third party software.

0

HospiceChesapeakeAuthor Commented: 2011-03-08

@dosdet2 - I cannot seem to locate the Automatically search for network folder and printers in Windows 7 where you described it to be.

We have no NAS drives installed at all on these laptops / desktops.

I'll give the MSConfig a try - but again, I'm thinking it's network related. Also, I checked and there are no scheduled tasks.

I did have a thought that maybe everyone can look at... we use a 'custom' User profile picture. Could THIS be causing the slow down? What if I disable this custom picture and see what happens??

At this point anything is worth a try if just to gain further clues or eliminate a possibility.

What I was thinking about in the MSconfig was a third party program loading an "updater' module that was trying to downloading updates. Or maybe an anti-virus checker or similar program that has central management.

0

HospiceChesapeakeAuthor Commented: 2011-03-08

Let me elaborate a bit.

The GPO is Computer Config. > Admin Templates > Control Panel, User Accounts and "Apply the default user logon picture to all users" we have this enabled to show our company logo.

It's a relatively small file, so I really don't see why this would be any impact. But, I suppose I could try turning it off and see what happens... right?